I fully agree on the cypher then MAC policy. Deciphering is time consuming and by feeding bogus data could be used in a DOS attack. Without prior checking it may be possible to indirectly probe the deciphering process.
What I am not so sure is the choice of CTR. I currently prefer CFB.
CTR cyphers a value that changes with only a few bits, while CFB uses previous output which is much more random, though exposed, since it is the ciphered text.
Security under those circumstances is a design requirement for AES. CTR is secure if AES is secure. If known plaintext pairs differing in only a few bits break AES, we have bigger problems than CTR mode.
What I am not so sure is the choice of CTR. I currently prefer CFB.